LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page
This page
Previous weekFollowing week
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Security
OpenID 2.0 closing in on acceptance
A very common complaint about using the web today is the proliferation of user IDs and associated passwords, people would much rather see a "single sign-on" (SSO) system. There are many proposed solutions for SSO, but OpenID is one of the simpler and most widespread; it also has the advantage of not being tied to a specific vendor, with open specifications and freely available libraries. Currently the OpenID 2.0 specification is closing in on acceptance with just the "intellectual property" rights (IPR) policy standing in its way.
One of the nicest features of OpenID is its user-centric nature – users can have as much control as they want over their identity. Unlike other solutions, there is no central authority required to store identities or process authentication requests. Users can run their own server or pick one of the available providers to get a free ID. An overview of OpenID appeared on this page last year.
OpenID 2.0 adds a number of features that will be quite useful for both users and websites that implement OpenID ("relying parties" or RPs in OpenID terminology). The Attribute Exchange extension is one that could solve a common problem by allowing users to associate additional information with their identity, sharing and, more importantly, updating that information at multiple sites more or less transparently. If a user moves or changes email addresses, that information could be updated at multiple sites.
OpenID 2.0 also provides support for additional extensions to the protocol, allowing functionality beyond what is currently envisioned, while adding namespaces to avoid name collisions between those extensions. Directed identities takes the delegation idea from OpenID 1.1 one step further, allowing users to specify the URL of the OpenID provider (OP), rather than their user-specific URL, as their ID. The OP can then resolve the user's URL through some means (such as a login screen) and provide that back to the RP. As James Henstridge points out in his weblog, this would allow an OP like AOL to allow "aol.com" as the OpenID for millions of users. Perhaps not the OpenID of choice for everyone, but it does offer a pretty simple ID to remember.
There are other improvements included in OpenID 2.0, including interfacing with other identity solutions, security improvements, and allowing for arbitrary length of protocol messages, rather than being limited by the URL-length limits of browsers. There are freely available implementations of OpenID 2.0 for PHP, Python, and Java (at least), all of which interoperate.
A recent discussion on the specs mailing list would appear to pave the way for the most recent draft (Draft 12) to gain acceptance. According to David Recordon, there are no technical barriers to acceptance:
The only barrier is a legal one, the IPR policy needs to be agreed upon, then each contributor needs to sign a "non-assertion statement" that promises not to sue any implementer of the standard for patent infringement. This allows anyone to implement the standard without fear of lawsuits or having to pay royalties, at least to the companies that have signed. Other companies or, worse yet, patent trolls are, of course, free to sue.
OpenID still suffers from a lack of sites that accept it, though many big players are flirting with it: AOL and Microsoft for example. AOL is an OpenID provider, all AOL screen names have an OpenID if they wish to use it, but you cannot log in to AOL using it. Also, there is rampant speculation that Google's recently announced OpenSocial API will provide OpenID support eventually. So far, though, other than the LiveJournal blogging sites (where OpenID originated) and Digg, there just aren't that many sites where OpenID can be used. Perhaps finalizing and accepting the 2.0 specification will turn the tide.
New vulnerabilities
cups: buffer overflow
| Package(s): | cups | CVE #(s): | CVE-2007-4351 | ||||||||||||||||||||||||||||||||||||
| Created: | October 31, 2007 | Updated: | November 19, 2007 | ||||||||||||||||||||||||||||||||||||
| Description: | The CUPS code charged with dealing with TCP-based Internet Printer Protocol connections suffers from a buffer overflow which could possibly be exploitable remotely. The vulnerability is only present if remote hosts are allowed to connect to the IPP port, which is usually not the default setting. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
mldonkey: privilege escalation
| Package(s): | mldonkey | CVE #(s): | ||||
| Created: | October 25, 2007 | Updated: | October 31, 2007 | |||
| Description: | The MLDonkey peer-to-peer filesharing client can be used to add a user to the system with a valid login shell and no password. This can be used for the escalation of privilege. | |||||
| Alerts: |
| |||||
python: integer overflows
| Package(s): | python | CVE #(s): | CVE-2007-4965 | |||||||||||||||||||||||||||||||||
| Created: | October 30, 2007 | Updated: | July 1, 2008 | |||||||||||||||||||||||||||||||||
| Description: | Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
subversion: possible information leak
| Package(s): | subversion | CVE #(s): | CVE-2007-2448 | ||||||
| Created: | October 30, 2007 | Updated: | December 13, 2007 | ||||||
| Description: | Subversion 1.4.3 and earlier does not properly implement the "partial access" privilege for users who have access to changed paths but not copied paths, which allows remote authenticated users to obtain sensitive information (revision properties) via svn (1) propget, (2) proplist, or (3) propedit. | ||||||||
| Alerts: |
| ||||||||
xen-utils: insecure temp files
| Package(s): | xen-utils | CVE #(s): | CVE-2007-3919 | ||||||||||||
| Created: | October 25, 2007 | Updated: | May 16, 2008 | ||||||||||||
| Description: | The xen-utils collection of XEN administrative tools uses temporary files insecurely. Local users can use this to truncate arbitrary files. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Updated vulnerabilities
Sun JDK/JRE: multiple vulnerabilities
| Package(s): | Sun JDK/JRE | CVE #(s): | CVE-2007-2435 CVE-2007-2788 CVE-2007-2789 | ||||||||||||||||||
| Created: | June 1, 2007 | Updated: | April 18, 2008 | ||||||||||||||||||
| Description: | An unspecified vulnerability involving an "incorrect use of system classes" was reported by the Fujitsu security team. Additionally, Chris Evans from the Google Security Team reported an integer overflow resulting in a buffer overflow in the ICC parser used with JPG or BMP files, and an incorrect open() call to /dev/tty when processing certain BMP files. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
apache2: information disclosure
| Package(s): | apache | CVE #(s): | CVE-2007-1862 | |||||||||
| Created: | June 20, 2007 | Updated: | February 18, 2008 | |||||||||
| Description: | From the Mandriva advisory: "The recall_headers function in mod_mem_cache in Apache 2.2.4 does not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously-used data, which could be used to obtain potentially sensitive information by unauthorized users." | |||||||||||
| Alerts: |
| |||||||||||
apache: multiple vulnerabilities
| Package(s): | apache | CVE #(s): | CVE-2007-3304 CVE-2006-5752 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 27, 2007 | Updated: | February 18, 2008 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The Apache HTTP Server did not verify that a process was an Apache child
process before sending it signals. A local attacker who has the ability to
run scripts on the Apache HTTP Server could manipulate the scoreboard and
cause arbitrary processes to be terminated, which could lead to a denial of
service. (CVE-2007-3304)
A flaw was found in the Apache HTTP Server mod_status module. Sites with the server-status page publicly accessible and ExtendedStatus enabled were vulnerable to a cross-site scripting attack. On Red Hat Enterprise Linux the server-status page is not enabled by default and it is best practice to not make this publicly available. (CVE-2006-5752) | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
apache: cross-site scripting
| Package(s): | apache | CVE #(s): | CVE-2006-3918 | ||||||||||||||||||
| Created: | August 9, 2006 | Updated: | April 4, 2008 | ||||||||||||||||||
| Description: | From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header." | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
httpd: denial of service, cross-site scripting
| Package(s): | apache httpd | CVE #(s): | CVE-2007-3847 CVE-2007-4465 | |||||||||||||||||||||||||||||||||||||||
| Created: | September 25, 2007 | Updated: | February 15, 2008 | |||||||||||||||||||||||||||||||||||||||
| Description: | A flaw was found in the mod_proxy module. On sites where a reverse proxy is
configured, a remote attacker could send a carefully crafted request that
would cause the Apache child process handling that request to crash. On
sites where a forward proxy is configured, an attacker could cause a
similar crash if a user could be persuaded to visit a malicious site using
the proxy. This could lead to a denial of service if using a threaded
Multi-Processing Module. (CVE-2007-3847)
A flaw was found in the mod_autoindex module. On sites where directory listings are used, and the AddDefaultCharset directive has been removed from the configuration, a cross-site-scripting attack may be possible against browsers which do not correctly derive the response character set following the rules in RFC 2616. (CVE-2007-4465) | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
bochs: buffer overflow
| Package(s): | bochs | CVE #(s): | CVE-2007-2893 | ||||||||||||
| Created: | July 20, 2007 | Updated: | November 19, 2007 | ||||||||||||
| Description: | A heap-based buffer overflow in the bx_ne2k_c::rx_frame function in iodev/ne2k.cc in the emulated NE2000 device in Bochs 2.3 allows local users of the guest operating system to write to arbitrary memory locations and gain privileges on the host operating system via vectors that cause TXCNT register values to exceed the device memory size, aka "RX Frame heap overflow." | ||||||||||||||
| Alerts: |
| ||||||||||||||
cacti: denial of service
| Package(s): | cacti | CVE #(s): | CVE-2007-3112 CVE-2007-3113 | ||||||||||||
| Created: | September 18, 2007 | Updated: | February 18, 2008 | ||||||||||||
| Description: | A vulnerability in Cacti 0.8.6i and earlier versions allows remote authenticated users to cause a denial of service (CPU consumption) via large values of the graph_start, graph_end, graph_height, or graph_width parameters. | ||||||||||||||
| Alerts: |
| ||||||||||||||
centericq: buffer overflows
| Package(s): | centericq | CVE #(s): | CVE-2007-3713 | |||||||||
| Created: | July 20, 2007 | Updated: | December 17, 2007 | |||||||||
| Description: | Multiple buffer overflows in Konst CenterICQ 4.9.11 through 4.21 allow remote attackers to execute arbitrary code via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: this might overlap CVE-2007-0160. | |||||||||||
| Alerts: |
| |||||||||||
clamav: denial of service
| Package(s): | clamav | CVE #(s): | CVE-2007-3725 | ||||||||||||
| Created: | July 24, 2007 | Updated: | February 27, 2008 | ||||||||||||
| Description: | A NULL pointer dereference has been discovered in the RAR VM of Clam Antivirus (ClamAV) which allows user-assisted remote attackers to cause a denial of service via a specially crafted RAR archives. | ||||||||||||||
| Alerts: |
| ||||||||||||||
clamav: multiple vulnerabilities
| Package(s): | clamav | CVE #(s): | CVE-2007-4510 CVE-2007-4560 | ||||||||||||||||||
| Created: | September 3, 2007 | Updated: | February 13, 2008 | ||||||||||||||||||
| Description: | Several remote vulnerabilities have been discovered in the Clam anti-virus
toolkit. The Common Vulnerabilities and Exposures project identifies the
following problems:
CVE-2007-4510: It was discovered that the RTF and RFC2397 parsers can be tricked into dereferencing a NULL pointer, resulting in denial of service. CVE-2007-4560: It was discovered clamav-milter performs insufficient input sanitizing, resulting in the execution of arbitrary shell commands. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
cups: denial of service
| Package(s): | cups | CVE #(s): | CVE-2007-0720 | |||||||||||||||
| Created: | March 26, 2007 | Updated: | February 7, 2008 | |||||||||||||||
| Description: | Previous versions of the cups package could be forced to hang via a client "partially negotiating" an ssl connection. In this state, cups would not allow other connections to be made, a denial of service. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
gpdf: integer overflow
| Package(s): | cups poppler xpdf | CVE #(s): | CVE-2007-3387 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 31, 2007 | Updated: | November 28, 2007 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The gpdf library contains an integer overflow which can be exploited via a malicious PDF file. This code finds its way into multiple packages, including xpdf, kpdf, poppler, cups, and more. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
debian-goodies: privilege escalation
| Package(s): | debian-goodies | CVE #(s): | CVE-2007-3912 | ||||||
| Created: | October 5, 2007 | Updated: | March 24, 2008 | ||||||
| Description: | Thomas de Grenier de Latour discovered that the checkrestart program included in debian-goodies did not correctly handle shell meta-characters. A local attacker could exploit this to gain the privileges of the user running checkrestart. | ||||||||
| Alerts: |
| ||||||||
dhcp: buffer overflow
| Package(s): | dhcp | CVE #(s): | CVE-2007-5365 | |||||||||||||||
| Created: | October 18, 2007 | Updated: | October 30, 2007 | |||||||||||||||
| Description: | The DHCP server has a buffer overflow vulnerability. DHCP does not correctly allocate space for network replies. This can be used by a malicious DHCP client to create a buffer overflow and possibly execute arbitrary code on the server machine. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
dovecot: privilege escalation
| Package(s): | dovecot | CVE #(s): | CVE-2007-4211 | |||||||||
| Created: | August 15, 2007 | Updated: | May 21, 2008 | |||||||||
| Description: | From the rPath advisory: "Previous versions of the dovecot package are vulnerable to a minor privilege escalation attack in which an authenticated user may exploit an ACL plugin weakness to save message flags without having proper permissions." | |||||||||||
| Alerts: |
| |||||||||||
dovecot: directory traversal
| Package(s): | dovecot | CVE #(s): | CVE-2007-2231 | ||||||||||||
| Created: | May 8, 2007 | Updated: | May 21, 2008 | ||||||||||||
| Description: | Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name. | ||||||||||||||
| Alerts: |
| ||||||||||||||
drupal: multiple vulnerabilities
| Package(s): | drupal | CVE #(s): | CVE-2007-5593 CVE-2007-5594 CVE-2007-5595 CVE-2007-5596 CVE-2007-5597 | |||||||||
| Created: | October 24, 2007 | Updated: | December 7, 2007 | |||||||||
| Description: | From the Fedora advisory:
- Upgrade to 5.3, fixes: - HTTP response splitting. - Arbitrary code execution. - Cross-site scripting. - Cross-site request forgery. - Access bypass. | |||||||||||
| Alerts: |
| |||||||||||
eggdrop: stack-based buffer overflow
| Package(s): | eggdrop | CVE #(s): | CVE-2007-2807 | |||||||||||||||
| Created: | September 7, 2007 | Updated: | January 7, 2008 | |||||||||||||||
| Description: | A stack-based buffer overflow in mod/server.mod/servrmsg.c in Eggdrop 1.6.18, and possibly earlier, allows user-assisted, malicious remote IRC servers to execute arbitrary code via a long private message. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
evolution: format string error
| Package(s): | evolution | CVE #(s): | CVE-2007-1002 | |||||||||||||||||||||
| Created: | March 27, 2007 | Updated: | February 27, 2008 | |||||||||||||||||||||
| Description: | A format string error in the "write_html()" function in calendar/gui/ e-cal-component-memo-preview.c when displaying a memo's categories can potentially be exploited to execute arbitrary code via a specially crafted shared memo containing format specifiers. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
evolution-data-server: malicious server arbitrary code execution
| Package(s): | evolution-data-server | CVE #(s): | CVE-2007-3257 | ||||||||||||||||||||||||||||||||||||
| Created: | June 18, 2007 | Updated: | November 7, 2007 | ||||||||||||||||||||||||||||||||||||
| Description: | From the GNOME bugzilla: "The "SEQUENCE" value in the GData of the IMAP code (camel-imap-folder.c) is converted from a string using strtol. This allows for negative values. The imap_rescan uses this value as an int. It checks for !seq and seq>summary.length. It doesn't check for seq < 0. Although seq is used as the index of an array." | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
firebird: buffer overflow
| Package(s): | firebird | CVE #(s): | CVE-2007-3181 | ||||||
| Created: | July 2, 2007 | Updated: | March 27, 2008 | ||||||
| Description: | The Firebird DBMS has a buffer overflow vulnerability involving the processing of connect requests with an overly large p_cnct_count value. Remote attackers can send a specially crafted request to the server in order to potentially execute arbitrary code with the permissions of the Firebird user. | ||||||||
| Alerts: |
| ||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2007-3844 CVE-2007-3845 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 1, 2007 | Updated: | February 20, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A flaw was discovered in handling of "about:blank" windows used by addons. A malicious web site could exploit this to modify the contents, or steal confidential data (such as passwords), of other web pages. (CVE-2007-3844) Jesper Johansson discovered that spaces and double-quotes were not correctly handled when launching external programs. In rare configurations, after tricking a user into opening a malicious web page, an attacker could execute helpers with arbitrary arguments with the user's privileges. (CVE-2007-3845) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox, thunderbird, seamonkey: multiple vulnerabilities
| Package(s): | firefox, thunderbird, seamonkey | CVE #(s): | CVE-2007-3738 CVE-2007-3656 CVE-2007-3670 CVE-2007-3285 CVE-2007-3737 CVE-2007-3089 CVE-2007-3736 CVE-2007-3734 CVE-2007-3735 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 18, 2007 | Updated: | May 12, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | shutdown and moz_bug_r_a4 reported two separate ways to modify an
XPCNativeWrapper such that subsequent access by the browser would result in
executing user-supplied code. (CVE-2007-3738)
Michal Zalewski reported that it was possible to bypass the same-origin checks and read from cached (wyciwyg) documents It is possible to access wyciwyg:// documents without proper same domain policy checks through the use of HTTP 302 redirects. This enables the attacker to steal sensitive data displayed on dynamically generated pages; perform cache poisoning; and execute own code or display own content with URL bar and SSL certificate data of the attacked page (URL spoofing++). (CVE-2007-3656) Internet Explorer calls registered URL protocols without escaping quotes and may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol. (CVE-2007-3670) Ronald van den Heetkamp reported that a filename URL containing %00 (encoded null) can cause Firefox to interpret the file extension differently than the underlying Windows operating system potentially leading to unsafe actions such as running a program. This is only accessible locally. (CVE-2007-3285) An attacker can use an element outside of a document to call an event handler allowing content to run arbitrary code with chrome privileges. (CVE-2007-3737) Ronen Zilberman and Michal Zalewski both reported that it was possible to exploit a timing issue to inject content into about:blank frames in a page. When opening a window from a script, it is possible to spoof the content of the newly opened window's frames within a short time frame, while the window is loading. (CVE-2007-3089) Mozilla contributor moz_bug_r_a4 demonstrated that the methods addEventListener and setTimeout could be used to inject script into another site in violation of the browser's same-origin policy. This could be used to access or modify private or valuable information from that other site. (CVE-2007-3736) As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes that showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Note: Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript, such as large images. (CVE-2007-3734, CVE-2007-3735) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
flac: arbitrary code execution
| Package(s): | flac | CVE #(s): | CVE-2007-4619 | ||||||||||||||||||||||||
| Created: | October 22, 2007 | Updated: | January 21, 2008 | ||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
A security flaw was found in the way flac processed audio data. An attacker could create a carefully crafted FLAC audio file in such a way that it could cause an application linked with flac libraries to crash or execute arbitrary code when it was opened. (CVE-2007-4619) | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
gallery2: multiple unspecified vulnerabilities
| Package(s): | gallery2 | CVE #(s): | CVE-2007-4650 | |||||||||
| Created: | September 5, 2007 | Updated: | November 9, 2007 | |||||||||
| Description: | Multiple unspecified vulnerabilities in Gallery before 2.2.3 allow attackers to (1) rename items, (2) read and modify item properties, or (3) lock and replace items via unknown vectors in (a) the WebDAV module; and (4) edit unspecified data files using "linked items" in (a) WebDAV and (b) Reupload modules. | |||||||||||
| Alerts: |
| |||||||||||
gcc: file overwrite vulnerability
| Package(s): | gcc | CVE #(s): | CVE-2006-3619 | ||||||||||||
| Created: | September 6, 2006 | Updated: | March 14, 2008 | ||||||||||||
| Description: | The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. | ||||||||||||||
| Alerts: |
| ||||||||||||||
gd: buffer overflow
| Package(s): | gd | CVE #(s): | CVE-2007-0455 | ||||||||||||||||||||||||||||||
| Created: | February 7, 2007 | Updated: | February 28, 2008 | ||||||||||||||||||||||||||||||
| Description: | The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
gd: multiple vulnerabilities
| Package(s): | gd | CVE #(s): | CVE-2007-3472 CVE-2007-3473 CVE-2007-3474 CVE-2007-3475 CVE-2007-3476 CVE-2007-3477 CVE-2007-3478 | |||||||||||||||||||||||||||
| Created: | August 6, 2007 | Updated: | February 28, 2008 | |||||||||||||||||||||||||||
| Description: | Integer overflow in gdImageCreateTrueColor function in the GD Graphics
Library (libgd) before 2.0.35 allows user-assisted remote attackers
to have unspecified remote attack vectors and impact. (CVE-2007-3472)
The gdImageCreateXbm function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors involving a gdImageCreate failure. (CVE-2007-3473) Multiple unspecified vulnerabilities in the GIF reader in the GD Graphics Library (libgd) before 2.0.35 allow user-assisted remote attackers to have unspecified attack vectors and impact. (CVE-2007-3474) The GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via a GIF image that has no global color map. (CVE-2007-3475) Array index error in gd_gif_in.c in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash and heap corruption) via large color index values in crafted image data, which results in a segmentation fault. (CVE-2007-3476) The (a) imagearc and (b) imagefilledarc functions in GD Graphics Library (libgd) before 2.0.35 allows attackers to cause a denial of service (CPU consumption) via a large (1) start or (2) end angle degree value. (CVE-2007-3477) Race condition in gdImageStringFTEx (gdft_draw_bitmap) in gdft.c in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors, possibly involving truetype font (TTF) support. (CVE-2007-3478) | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
gd: denial of service
| Package(s): | gd | CVE #(s): | CVE-2007-2756 | ||||||||||||||||||
| Created: | June 14, 2007 | Updated: | February 28, 2008 | ||||||||||||||||||
| Description: | Libgd2 has a denial of service vulnerability involving the incorrect validation of PNG callback results. If an application that is linked against libgd2 is used to process a specially-crafted PNG file, a denial of service involving CPU resource consumption can be caused. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
gimp: multiple vulnerabilities
| Package(s): | gimp | CVE #(s): | CVE-2007-2949 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 28, 2007 | Updated: | February 27, 2008 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The gimp image editor has several vulnerabilities, including a problem where it can open PSD files with excessive dimensions and a possible stack overflow in the Sunras loader. | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
gnome-screensaver: keyboard lock bypass
| Package(s): | gnome-screensaver | CVE #(s): | CVE-2007-3920 | ||||||||||||||||||
| Created: | October 24, 2007 | Updated: | June 13, 2008 | ||||||||||||||||||
| Description: | From the Ubuntu advisory:
Jens Askengren discovered that gnome-screensaver became confused when running under Compiz, and could lose keyboard lock focus. A local attacker could exploit this to bypass the user's locked screen saver. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
openssh: inappropriate use of trusted cookies
| Package(s): | gnome-ssh-askpass openssh | CVE #(s): | CVE-2007-4752 | ||||||||||||||||||||||||
| Created: | September 11, 2007 | Updated: | May 14, 2008 | ||||||||||||||||||||||||
| Description: | OpenSSH in versions prior 4.7 could use a trusted X11 cookie if the creation of an untrusted cookie failed. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
horde-kronolith: local file inclusion
| Package(s): | horde-kronolith | CVE #(s): | CVE-2006-6175 | |||
| Created: | January 17, 2007 | Updated: | March 7, 2008 | |||
| Description: | Kronolith contains a mistake in lib/FBView.php where a raw, unfiltered string is used instead of a sanitized string to view local files. An authenticated attacker could craft an HTTP GET request that uses directory traversal techniques to execute any file on the web server as PHP code, which could allow information disclosure or arbitrary code execution with the rights of the user running the PHP application (usually the webserver user). | |||||
| Alerts: |
| |||||
hplip: arbitrary command execution
| Package(s): | hplip | CVE #(s): | CVE-2007-5208 | ||||||||||||||||||||||||
| Created: | October 12, 2007 | Updated: | January 14, 2008 | ||||||||||||||||||||||||
| Description: | Kees Cook discovered a flaw in the way the hplip hpssd daemon handled user input. A local attacker could send a specially crafted request to the hpssd daemon, possibly allowing them to run arbitrary commands as the root user. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
imagemagick: multiple vulnerabilities
| Package(s): | imagemagick | CVE #(s): | CVE-2007-4985 CVE-2007-4986 CVE-2007-4987 CVE-2007-4988 | |||||||||||||||||||||
| Created: | October 4, 2007 | Updated: | April 17, 2008 | |||||||||||||||||||||
| Description: | The ImageMagick image decoders have multiple vulnerabilities. If a user can be tricked into processing a specially crafted DCM, DIB, XBM, XCF, or XWD image, arbitrary code may be executed with the user's privileges. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
ImageMagick: integer overflows
| Package(s): | imagemagick | CVE #(s): | CVE-2007-1797 | |||||||||||||||||||||||||||
| Created: | April 4, 2007 | Updated: | April 17, 2008 | |||||||||||||||||||||||||||
| Description: | Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote attackers to execute arbitrary code via (1) a crafted DCM image, which results in a heap-based overflow in the ReadDCMImage function, or (2) the (a) colors or (b) comments field in a crafted XWD image, which results in a heap-based overflow in the ReadXWDImage function, different issues than CVE-2007-1667. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
initscripts: information exposure
| Package(s): | initscripts | CVE #(s): | |||||||
| Created: | October 12, 2007 | Updated: | October 26, 2007 | ||||||
| Description: | The initscripts package do not set sufficiently restrictive permissions on the /var/log/btmp file, leading to an information exposure vulnerability in which users' passwords may be revealed to unprivileged users in cases when the passwords have been inadvertently entered as usernames at some login prompts. | ||||||||
| Alerts: |
| ||||||||
jasper: denial of service
| Package(s): | jasper | CVE #(s): | CVE-2007-2721 | ||||||||||||||||||
| Created: | June 1, 2007 | Updated: | November 6, 2007 | ||||||||||||||||||
| Description: | The jpc_qcx_getcompparms function in jpc/jpc_cs.c could allow remote user-assisted attackers to cause a denial of service (crash) and possibly corrupt the heap via malformed image files. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
java-1.5.0-sun: multiple vulnerabilities
| Package(s): | java-1.5.0-sun | CVE #(s): | CVE-2007-3503 CVE-2007-3655 CVE-2007-3698 CVE-2007-3922 | ||||||||||||||||||||||||||||||
| Created: | August 6, 2007 | Updated: | June 24, 2008 | ||||||||||||||||||||||||||||||
| Description: | The Javadoc tool was able to generate HTML documentation pages that
contained cross-site scripting (XSS) vulnerabilities. A remote attacker
could use this to inject arbitrary web script or HTML. (CVE-2007-3503)
The Java Web Start URL parsing component contained a buffer overflow vulnerability within the parsing code for JNLP files. A remote attacker could create a malicious JNLP file that could trigger this flaw and execute arbitrary code when opened. (CVE-2007-3655) The JSSE component did not correctly process SSL/TLS handshake requests. A remote attacker who is able to connect to a JSSE-based service could trigger this flaw leading to a denial-of-service. (CVE-2007-3698) A flaw was found in the applet class loader. An untrusted applet could use this flaw to circumvent network access restrictions, possibly connecting to services hosted on the machine that executed the applet. (CVE-2007-3922) | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
java-1.5.0-sun: multiple vulnerabilities
| Package(s): | java-1.5.0-sun | CVE #(s): | CVE-2007-5232 CVE-2007-5238 CVE-2007-5239 CVE-2007-5240 CVE-2007-5273 CVE-2007-5274 |
| Created: | October 12, 2007 | Updated: | April 25, 2008 |
| Description: | Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier, when applet caching is enabled, allows remote attackers to violate the security model for an applet's outbound connections via a DNS | ||